Avid mobile YouTube users, especially those involved in diplomatic work in Pakistan and India, should be very careful when downloading the famous video app as experts have discovered at least three fake YouTube apps that actually offer Remote Access are Trojans (RAT). go after their data.
Cybersecurity researchers at SentinelLabs recently observed a threat actor known as Transparent Tribe (APT36), which is likely using social channels and fake landing pages to distribute apps that look like YouTube, but are instead malware known as CapraRAT. The apps cannot be found in the official Google Play Store, Google confirmed to the media.
This remote access Trojan can steal all kinds of sensitive data from the endpoint (SMS messages, call logs, GPS data, etc.), as well as record audio and video and send them to the operators. It can also take screenshots, overwrite system settings, and modify files on the device’s file system. All of that is enough to carry out successful identity theft campaigns, phishing attacks, and social engineering attacks, not to mention outright data theft, among other things.
Been active for years
Two of the apps are simply called YouTube, while the third is called Piya Sharma – after an Indian presenter and influencer, and most likely used in romance-based fraud. All apps request extensive permissions upon installation, which should be enough of a red flag for most people. If that’s not enough, the apps look more like a web browser than a native app and lack some features present in the legitimate YouTube app.
SentinelLabs says APT36 most likely has ties to the Pakistani government and is targeting Indian defense and government agencies, human rights activists, diplomats involved in the Kashmir region and the like.
The group has been active since at least 2018 and was spotted earlier this year distributing CapraRAT apps disguised as dating services. To ensure you don’t fall for the trick, make sure you always download apps only from official repositories (e.g. Google Play Store or the Galaxy Store) and be wary of any permissions the apps request from the installation.